What is NAT-Traversal and how do I rule out problems with NAT-Traversal?

IPsec VPN uses a different protocol (ESP) for the actual data transfer than for establishing the connection (IKE). Since the ESP protocol does not use network ports, NAT (Network Address Translation) routers may have difficulties handling it correctly. Only NAT routers that support "IPSec Passthrough" (sometimes also named "VPN Passthrough" or "ESP Passtrhough") and where this option is also enabled, can handle ESP data packets.

To work around this problem, two alternative tunneling methods exist:

NAT-Traversal (old, RFC draft version)

NAT-Traversal (new, RFC standard version)

Which of these methods will work with your connection depends on two properties:

Which of these methods allows traffic to pass through your local Internet router.

Which of these methods are supported by your VPN remote gateway.

To test for the first property, VPN Tracker will automatically establish three VPN test connections to a VPN gateway hosted by us whenever it detects a new router that has not been tested before. One connection uses plain ESP, the other two either NAT-T method mentioned above. It will remember the test results for this router and take them into account whenever you start a connection from the network location. The reason we are testing with our own gateway is simply that the test requires a gateway supporting all three methods, with a known configuration and a simply way to verify if traffic did arrive at that gateway.

The second property is not tested in advance, VPN Tracker will become aware of that information when it actually tries to connect to your VPN gateway. VPN Tracker will compare the methods your gateway supports with the stored test results. If there is a match, a method that your gateway supports and that was also working during the test, this method will be used. If there is no match, VPN Tracker will immediately stop and show an appropriate error in the log, explaining the situation.

If you suspect a NAT-Traversal issue or you think the previous test results may be wrong or outdated, simply re-run the test:

The test dialog also allows you to tell VPN Tracker to not test the current location and forget any previously created test results. This is rarely needed and also not recommended but there might be situation where the test results are wrong because access to our VPN gateway is not possible (e.g. it is blocked) and thus the test result are just bogus and say nothing about the true capabilities of your VPN gateway.

If you have any idea or request for next product versions - or just want to add your two cents, please enter your request here. Please do not use this form for submitting your support inquiries or questions you will need any (quick) reply. Thank you!

Your name

Your email address

I hereby acknowledge that this web form is only provided for non-binding inquiries and to obtain information. It can not be used for legal electronic communication with equinux AG or its subsidiary companies. This also applies to familiar email addresses of equinux AG and its subsidiary companies. I agree with the storage of my data according to the privacy policy. This agreement can be revoked at any time. *

I hereby acknowledge that this web form is only provided for non-binding inquiries and to obtain information. It can not be used for legal electronic communication with equinux AG or its subsidiary companies. This also applies to familiar email addresses of equinux AG and its subsidiary companies. I agree with the storage of my data according to the privacy policy. This agreement can be revoked at any time. *